Clawberth
Back to blog
March 12, 2026 7 min read

The Fake OpenClaw Installer Threat: How to Verify You're Installing the Real Thing

Supply-chain attacks targeting OpenClaw are real. Learn how to verify your installer, audit your setup, and lock down your self-hosted AI agent the right way.

security installation safety

OpenClaw gives you something rare in the AI space: an autonomous agent that runs on your hardware, under your control, with your credentials. That power is exactly why a fake installer is not just an inconvenience — it’s a skeleton key to your digital life.

This post is not about fear. It’s about verification. If you’re installing OpenClaw for the first time, or you installed it a while back and aren’t sure where you got it, this guide will help you confirm you’re running the real thing and lock it down properly.

Why OpenClaw Is a High-Value Target

OpenClaw operates on a personal-assistant trust model. Once installed, it sits inside ~/.openclaw/ — a directory that becomes your trusted operator boundary. Inside that boundary live credentials for WhatsApp, Telegram, Discord, your AI model API keys, gateway tokens, and whatever else you’ve connected. The agent can read files, execute commands, control a browser, and send messages on your behalf.

That’s the point. That’s what makes it useful.

It’s also what makes a compromised installation devastating. A tampered OpenClaw binary doesn’t need to install a separate backdoor — it is the backdoor, already authorized to do everything the real agent can do, except now someone else is watching.

Supply-chain attacks against developer tools are not hypothetical. We’ve seen poisoned npm packages, trojanized VS Code extensions, and fake GitHub repositories targeting everything from cryptocurrency wallets to CI/CD pipelines. OpenClaw, with its deep system access and growing user base, is a natural next target.

What Already Happened

CVE-2026-25253: Token Exfiltration and 1-Click RCE

In early 2026, security researchers disclosed CVE-2026-25253 — a vulnerability in how OpenClaw handled gatewayUrl configurations. A crafted configuration could exfiltrate gateway tokens, and in the worst case, enable one-click remote code execution. The vulnerability was found, responsibly disclosed, and patched.

The fix shipped quickly. But the incident highlighted something important: OpenClaw’s architecture means that configuration tampering isn’t just a settings problem — it’s a full-compromise problem. If someone can modify your ~/.openclaw/ directory or swap your binary, the blast radius is everything the agent touches.

Reuters Report: State-Level Concern

In March 2026, Reuters reported that China had warned state agencies about OpenClaw, citing security concerns around self-hosted AI agents with broad system access. Whatever your view on the geopolitics, the signal is clear: governments consider OpenClaw’s access model significant enough to issue advisories about. That same access model is why you should care about where your installer came from.

The Official Installation Sources

There are exactly four legitimate ways to install OpenClaw. If you didn’t use one of these, you should verify your installation immediately.

macOS, Linux, and WSL2

curl -fsSL https://openclaw.ai/install.sh | bash

Windows (PowerShell, via WSL2)

iwr -useb https://openclaw.ai/install.ps1 | iex

Important: There is no official native Windows installer. OpenClaw on Windows runs through WSL2. If you downloaded a .exe or .msi claiming to be OpenClaw for Windows, it is not official.

npm

npm install -g openclaw@latest

This requires Node.js 22 or later. If your system has an older version, update Node first — don’t use a “convenience” installer that bundles its own runtime.

Source

git clone https://github.com/openclaw/openclaw.git

Build from source if you want to inspect everything yourself. The repository is at github.com/openclaw/openclaw — not any fork, mirror, or “community edition.”

What Is NOT Official

The OpenClaw project explicitly warns: avoid third-party 1-click marketplace images. This includes:

  • Docker Hub images not published by the OpenClaw organization
  • Cloud marketplace AMIs or droplet images
  • Browser extension “companions” or “installers”
  • Homebrew taps or APT repositories run by third parties
  • GitHub forks that offer “pre-built binaries” or “easy install scripts”
  • Telegram bots or Discord servers distributing install links

If someone packages OpenClaw into a convenient image and publishes it, you have no way to verify what else they included. The official install takes under a minute. There is no reason to use a shortcut.

Red Flags: How to Spot a Fake

Watch for these signals that something is wrong:

The URL is wrong. The install script comes from https://openclaw.ai/install.sh — not openclaw.io, openclawai.com, get-openclaw.sh, or any variation. Check the domain carefully. Typosquatting is the oldest trick in the book.

It doesn’t require Node 22+. The real OpenClaw requires Node.js version 22 or later. If an installer doesn’t check for this, or bundles its own Node runtime, that’s suspicious.

It asks for credentials during installation. OpenClaw configures credentials after installation, through its own setup flow. No legitimate installer asks for your API keys, tokens, or passwords as part of the install process.

There’s a native Windows .exe. It doesn’t exist. If you’re looking at one, close it.

It modifies unexpected system files. OpenClaw lives in ~/.openclaw/ and its global npm directory. It should not be writing to /etc/, modifying your shell profile beyond standard PATH additions, or installing kernel modules.

The gateway binds to 0.0.0.0. A default OpenClaw gateway binds to loopback (127.0.0.1). If your installation is listening on all interfaces out of the box, something has been modified.

Post-Install: Audit Your Setup

Even if you installed from an official source, running a security audit is good practice. OpenClaw ships with a built-in audit tool:

openclaw security audit

This checks for:

  • Inbound access exposure — Is your gateway accessible from the network?
  • Tool blast radius — Which tools are enabled, and what can they reach?
  • Network exposure — Open ports, listening services
  • Browser control — Is browser automation locked down?
  • Disk hygiene — Unexpected files in ~/.openclaw/
  • Plugin integrity — Are installed plugins what they claim to be?
  • Policy drift — Has your configuration diverged from safe defaults?

For a thorough check, use the deep flag:

openclaw security audit --deep

To automatically fix common issues:

openclaw security audit --fix

For CI/CD or scripted checks, use JSON output:

openclaw security audit --json

Run the audit after installation, after updates, and periodically as part of your maintenance routine. Think of it like npm audit but for your entire agent runtime.

Hardened Configuration Baseline

After verifying your installation, consider tightening the defaults. Here’s a hardened baseline that reduces attack surface while keeping OpenClaw functional for most use cases:

{
  gateway: {
    mode: "local",
    bind: "loopback",
    auth: { mode: "token", token: "replace-with-long-random-token" },
  },
  tools: {
    profile: "messaging",
    deny: ["group:automation", "group:runtime", "group:fs", "sessions_spawn", "sessions_send"],
    exec: { security: "deny", ask: "always" },
    elevated: { enabled: false },
  },
}

The tools.profile: "messaging" setting limits the agent to communication tools — no file system access, no shell execution, no browser control beyond what’s explicitly granted. The exec.security: "deny" setting prevents the agent from running arbitrary commands. The gateway stays bound to localhost and requires token authentication.

You can relax these settings as needed, but starting locked down and opening up deliberately is safer than starting open and hoping nothing goes wrong.

What to Do If You Installed a Fake Version

If you suspect your OpenClaw installation is not legitimate:

1. Stop the agent and gateway immediately.

openclaw gateway stop

Kill any remaining processes manually if needed.

2. Do not just reinstall over the top. A compromised installation may have modified files outside ~/.openclaw/. A clean reinstall won’t undo that.

3. Rotate every credential that was configured in OpenClaw — Telegram sessions, Discord tokens, WhatsApp auth, API keys, everything in ~/.openclaw/. Assume they were exfiltrated.

4. Check your gateway token. If gatewayUrl was modified (the vector in CVE-2026-25253), your gateway token may have been sent to an attacker-controlled server.

5. Audit system changes. Check for unexpected cron jobs, modified shell profiles, new SSH keys, or unfamiliar services. A tampered installer had root-level ambitions.

6. Reinstall from official sources on a clean system or after thorough remediation. Use one of the four methods listed above, and run openclaw security audit --deep immediately after.

7. Report it. If you can identify the fake installer’s source — a URL, a repository, a marketplace listing — report it to the OpenClaw team and to the platform hosting it.

The Bigger Picture

Self-hosted AI agents are a new category of software with an unusual trust profile. They’re not just apps that run on your machine — they’re apps that act on your behalf, with your credentials, across multiple services. The security model is fundamentally different from a web app behind a login page.

OpenClaw’s approach — keeping everything local, under operator control, auditable — is architecturally sound. But that architecture only protects you if the software is actually what it claims to be. Verification is not paranoia. It’s the foundation that everything else rests on.

Install from official sources. Run the audit. Harden the config. And if something looks wrong, trust that instinct. In security, the cost of checking is always lower than the cost of assuming.

Want a verified, hardened installation without the manual work? We’re building managed hosting for OpenClaw — pre-audited, locked down, and kept up to date. Join the waitlist and we’ll handle the security so you can focus on what your agent does.